A recently disclosed security flaw impacting 7-Zip has come under active exploitation in the wild, according to an advisory issued by the U.K. NHS England Digital on Tuesday.
The vulnerability in question is CVE-2025-11001 (CVSS score: 7.0), which allows remote attackers to execute arbitrary code. It has been addressed in 7-Zip version 25.00 released in July 2025.
“The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories,” Trend Micro’s Zero Day Initiative (ZDI) said in an alert released last month. “An attacker can leverage this vulnerability to execute code in the context of a service account.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Ryota Shiga of GMO Flatt Security Inc., along with the company’s artificial intelligence (AI)-powered AppSec Auditor Takumi, has been credited with discovering and reporting the vulnerability.
It’s worth noting that 7-Zip 25.00 also resolves another flaw, CVE-2025-11002 (CVSS score: 7.0), that allows for remote code execution by taking advantage of improper handling of symbolic links within ZIP archives, resulting in directory traversal. Both shortcomings were introduced in version 21.02.
“Active exploitation of CVE-2025-11001 has been observed in the wild,” NHS England Digital said. However, there are currently no details available on how it’s being weaponized, by whom, and in what context.
Given that there exists proof-of-concept (PoC) exploits, it’s essential that 7-Zip users move quickly to apply the necessary fixes as soon as possible, if not already, for optimal protection.
“This vulnerability can only be exploited from the context of an elevated user / service account or a machine with developer mode enabled,” security researcher Dominik (aka pacbypass), who released the PoC, said in a post detailing the flaws. “This vulnerability can only be exploited on Windows.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices